PROTECTION

FI ELD OF THE INVENTION

[001 ] The present application relates to a mobile device management and security system and method, and to a security platform and a mobile device management platform for use in a mobile device management and security system.

BACKGROUND

[002] Enterprises (e.g. private or public companies, academic institutions, partnerships, governmental and quasi-governmental institutions, etc) provide enterprise users (e.g. employees) with access to computing resources (such as email servers, data resources for customer relationship management (CRM) systems, document management systems (DMS), enterprise resource planning (ERP) systems, and billing and accounting systems, etc) via an enterprise network (which may be supported by dedicated computing hardware directly connected by a local area network, or by distributed hardware which may be connected by a virtual private network over the internet, or by being hosted virtually in the cloud).

[003] It is becoming increasingly common for enterprise users to access the resources provided in the enterprise network using mobile devices such as laptops, tablets and smart phones. For this, the enterprise may provide the enterprise user with a mobile device for accessing the enterprise resources and for enterprise use. However, a current trend is towards enterprise users using their personally owned mobile devices to access the enterprise resources as well for their own personal use.

[004] This accessing of enterprise resources using mobile devices introduces a significant security vulnerability that confidential or sensitive information accessed by and stored on the remote devices or access to the enterprise resources themselves may become compromised if the devices are stolen, hacked by malware, viruses or if the enterprise user is subjected to a successful phishing or other security attack.

[005] To attempt to mitigate the exposure of enterprise resources to the

vulnerabilities posed by mobile devices, mobile device management (MDM) software is now used to manage enterprise use of these mobile devices that have access to the enterprise network. The MDM software has a client component, installed on the user mobile device, that allows an enterprise-level administrator operating a server component of the MDM software to define security policy sets for the users to control the configuration and security settings of the user ^' s mobile devices registered to the enterprise user group. For this, the MDM server component sends security policy updates over the air (OTA) to the user devices where the client component of the MDM software receives those updates and configures the device accordingly. The administrator may operate the MDM software to set security policies for individual users, for groups thereof or for all the enterprise users registered to the enterprise.

[006] For example, the MDM software may be used by an enterprise administrator to restrict a user from installing certain black-listed applications or to allow or require a user to only install certain approved, white-listed applications (e.g. virus

protection). Further, security policies set by the administrator implemented by the MDM software on the device may enforce security restrictions on the user, such as requiring users to set passwords having certain lengths and characters, and for detecting any attempts to jailbreak the device. Security policies may be provided to implement a wide range of restrictions and functionalities at the device, such as implementing basic find, lock and wipe capabilities.

[007] Generally, the enterprise users of the MDM software are keyed by a user identifier (userlD) that uniquely identifies that user within the enterprise MDM user group. The MDM userlD is a general free-form identifier for the user which could be a username, email address or even a Mobile Station International Subscriber

Directory Number (MSISDN) for a subscription of the user registered to the cellular telecommunications network. Thus the OTA security policy updates for a given user are sent to devices registered with the userlD for the user by a device identifier (devicelD). There is no dependency in the MDM platform on an MSISDN of a user subscription as the user may use a device that does not have a subscription to a cellular network to access the enterprise resources. Similarly, if a user transfers a subscriber identity module (SIM) card for authenticating and identifying the

subscription to the network by the MSISDN from one mobile device to another, the MDM security settings remain with the original enrolled device keyed by userlD and are not transferred to the new device with the SIM card.

[008] Enterprise users of mobile devices are often also provided by the enterprise with a subscription to a mobile cellular communication network, for example by providing a subscriber identity module (SIM) card for insertion into the mobile device usable to authenticate and identify the subscription to the network by an MSISDN. The network operator uses the MSISDN identified to the network by the SIM card to connect voice calls to the device and to establish and maintain data plane

connections to the device to send and receive data which may include, for example, email, http requests and return web traffic, served web pages, streaming data including audio and video, etc.

[009] To protect the enterprise and the enterprise user device, having access to the enterprise network resources, from threats such as identity theft, fraud, intelligence gathering and sabotage, the mobile cellular telecommunications network may provide a security platform that the enterprise can use to provide a safe internet experience for its enterprise users connecting to the internet over the cellular GPRS/3G/4G network for data transfer. The security platform is provided in the core of the mobile cellular telecommunications network, e.g. by the network provider, and it supports basic and advanced security features for data traffic being routed to and from the user devices based on the MSISDN to/from which the data traffic is routed.

[010] Specifically, the security platform can provide content filtering (e.g. by packet inspection), anti-malware capabilities, anti-phishing capabilities and anti-spam capabilities. An administration portal for the security platform allows an enterprise administrator to customise security policies keyed by MSISDN of the enterprise users to be applied to the data traffic in the core network. These security policies are set by the administrator operating the security platform portal on a subscription-by- subscription basis.

[01 1 ] Thus currently, enterprise networks and resources are protected by administrator control of a separate security platform and mobile device management platform.

[012] It is in this context that the present invention has been devised.

SUMMARY OF THE INVENTION

[013] Viewed from one aspect, the present invention provides a mobile device management and security system configured to control usage and security of managed mobile devices of a group of users registered to the system. The system comprises: a security platform in a core of a cellular telecommunications network; and a mobile device management platform. The mobile device management platform is configured: to receive, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a

subscription of each user of the group registered to the cellular telecommunications network and to associate the MSISDN with a respective userlD for the user; to store, for each user of the group of users, an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and to send to the security platform the MSISDN and data pertaining to the associated secure web profile for each user. The security platform is configured: to receive and store an association between the MSISDNs for each user of the group of users and the associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user- requested data security policies indicated in the secure web profile associated with that MSISDN.

[014] In accordance with the present invention, a mobile device management and security system is provided in which a mobile device management (MDM) platform received and stores a relation between the userlD used to key MDM over the air security policy updates for each user and the MSISDN for a subscription to a mobile cellular network for those users. Further, the MDM platform then provides

functionality that allows a secure web profile defining a security policy for a user ^' s safe Internet experience to be managed as part of the security policy set for the enterprise at a user or group level. The secure web profile for each user is then sent to the security platform in the core network of the mobile telecommunications network, keyed by MSISDN. In this way, enterprise resource security officers are provided with a single platform that enables the setting of MDM security policies and mobile cellular telecommunication network security policies for enterprise users at a user or group level. This is achieved by combining and relating the two different user identity paradigms, namely, userlD centric for MDM systems and MSISDN centric for mobile cellular telecommunication network security systems.

[015] In embodiments, the security platform is configurable, by indication in a secure web profile, to apply one or more security policies keyed by MSISDN of the recipient user of the data packet, the security policies including: a packet inspection filtering to filter out certain content; an anti-phishing filter; an anti-spam filter; the an anti-malware filter.

[016] In embodiments, the mobile device management and security system further comprises: a traffic management platform configured to function as a load balancer for data traffic in the core of the cellular telecommunications network, having a traffic steering module configures the traffic management platform to forward to the data traffic for an MSISDN having a secure web profile to the security platform for processing.

[017] In embodiments, the traffic steering module further configures the traffic management platform to receive the filtered data traffic for the MSISDN from the security platform and to forward it to the MSISDN.

[018] In embodiments, the mobile device management platform is further configured: to store in the administrator-configurable security policy set for each userlD of the group of users a managed device profile defining a device

management policy for managing the operation of a device by the user; and to send to the device the managed device profiles to user mobile devices.

[019] In embodiments, the mobile device management and security system further comprises a mobile device of a user of the group of users comprising device management software for configuring the device: to receive and store from the mobile device management platform the managed device profile associated with the user's userlD; and to apply the management policies indicated in the managed device profile to manage the operation of the device by the user.

[020] In embodiments, the mobile device management software further configures the mobile device to send a request to the mobile device management platform for the managed device profile associated with the userlD of the user logged into the mobile device management software.

[021 ] In embodiments, the mobile device management platform is further configured, in response to receiving from the mobile device the request for the managed device profile indicating a userlD, to send the managed device profile to the mobile device.

[022] In embodiments, the mobile device management platform is further configured: to receive a batch MSISDNs for users of a group and to store an association between the MSISDNs and the userlDs for the users. In this way, an enterprise can add its enterprise user ^' s subscriptions to the MDM platform in bulk to provide enterprise-wide control over their security and access to enterprise resources over the mobile cellular telecommunications network.

[023] In embodiments, the mobile device management platform is further configured to provide a portal accessible by administrator of the group of users operable to assign security policy sets for users of the group of users at an individual or group level. In this way, enterprise administrators can control the security and access of a group of users to enterprise resources using subscriptions to mobile cellular telecommunications networks from a mobile device management platform portal.

[024] In embodiments, the group of users is an enterprise group or a family group of consumers. The invention may also be applicable to consumer groups such as families, where the parent acts as an administrator for the security and MDM controls applied to children's access to the internet on their mobile electronic devices through subscriptions to the mobile cellular telecommunications network.

[025] In embodiments, the mobile device management platform is configured to maintain a database relating the MSISDNs of a group of users to the userlDs of the group of users.

[026] In embodiments, the mobile device management and security system further comprises a global integration gateway configured to receive the secure web profile from the mobile device management platform and to send the secure web profile directly to the security platform in a core of a mobile telecommunications network.

[027] Alternatively, or in addition, in embodiments, the mobile device management and security system, further comprises a global integration gateway configured to receive the secure web profile from the mobile device management platform and to send the secure web profile to the security platform in a core of a mobile

telecommunications network via a local integration gateway of the mobile

telecommunications network.

[028] Viewed from another aspect, the present invention provides a security platform in a core of a cellular telecommunications network for use in a mobile device management and security system as claimed in a proceeding claim

configured to control usage and security of managed mobile devices of a group of users registered to the system, the security platform being configured: to receive and store from a mobile device management platform an association between the Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network and an associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user- requested data security policies indicated in the secure web profile associated with that MSISDN. [029] Viewed from yet another aspect, the present invention provides a mobile device management platform for use in a mobile device management and security system as claimed in a proceeding claim configured to control usage and security of managed mobile devices of a group of users registered to the system, the mobile device management platform being configured: to receive, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network and to associate the MSISDN with a respective userlD for the user; to store, for each user of the group of users, an administrator- configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and to send to a security platform in the core of the mobile telecommunications network the MSISDN and data pertaining to the associated secure web profile for each user for the security platform to apply to user- requested data to be routed to the MSISDN of a user of the group of users security policies indicated in the secure web profile associated with that MSISDN.

[030] Viewed from yet another aspect, the present invention provides a mobile device management and security method for controlling usage and security of managed mobile devices of a group of users registered to the system, comprising: at a mobile device management platform: receiving, at a mobile device management platform, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network; associating each MSISDN with a respective userlD for the user; storing, for each user of the group of users, an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and sending to a security platform to a security platform in the core of the mobile telecommunications network the MSISDN and data pertaining to the associated secure web profile for each user; and, at the security platform: receiving and storing an association between the MSISDNs for each user of the group of users and the associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, applying to the user- requested data security policies indicated in the secure web profile associated with that MSISDN.

[031 ] Within the scope of this application it is expressly envisaged that the various aspects, embodiments, examples and alternatives set out in the preceding paragraphs, in the claims and/or in the following description and drawings, and in particular the individual features thereof, may be taken independently or in any combination. Features described in connection with one aspect or embodiment of the invention are applicable to all aspects or embodiments, unless such features are incompatible.

BRIEF DESCRIPTION OF THE DRAWINGS

[032] Certain preferred embodiments will now be described, by way of example only, with reference to the accompanying drawings, in which:

[033] Figure 1 shows a schematic illustration of an MDM and security system in accordance with an embodiment of the present invention and an example

organisational hierarchy of the enterprise administrator, enterprise users and enterprise devices of the system;

[034] Figure 2 shows a schematic diagram of an enterprise user mobile device, MDM platform and security platform in accordance with an embodiment of the present invention; and

[035] Figure 3 shows a process flow diagram for a method of a mobile device management and security method for controlling usage and security of managed mobile devices of a group of users registered to the system.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[036] The detailed description set forth below in connection with the appended drawings is intended as a description of presently preferred embodiments of the invention, and is not intended to represent the only forms in which the present invention may be practised. It is to be understood that the same or equivalent functions may be accomplished by different embodiments that are intended to be encompassed within the spirit and scope of the invention. Furthermore, terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that apparatuses and method steps that comprises a list of elements or steps does not include only those elements but may include other elements or steps not expressly listed or inherent. An element or step proceeded by "comprises ...a" does not, without more constraints, preclude the existence of additional identical elements or steps that comprises the element or step.

[037] Referring now to Figure 1 , there is shown a mobile device management and security system comprising a mobile device management (MDM) platform 1 20 and a security platform 1 1 0 provided in the core 104 of a local mobile cellular

telecommunications network which may be a GPRS, UMTS or LTE network. The cellular telecommunications network further comprises plural base stations 103a, 1 03b that provide a radio access network (RAN) comprising a number of radio cells, which acts as an air interface to allow mobile radio communications with user mobile electronic devices or user equipment 1 02a ... n, j within those cells by establishing radio bearers therebetween. The mobile electronic devices 1 02a, ... n, j may be tablets, laptops, or as in this case, smartphones, or another appropriate electronic device for connecting to the mobile cellular telecommunications network to allow a user data communication with the Internet therethrough. The mobile

telecommunications network supports voice communications by a public switched telephone network PSTN (not shown) using the devices mobile electronic devices 1 02a, ... rii _. j and data communications with, for example, the Internet 1 05, using those devices 1 02¾ ... n, ,.

[038] Referring now also to Figure 2, a subscriber identity module (SIM) 1 026 is removably inserted into an electronic device (e.g. 1 02,, a smart phone). The SIM 1 026 carries a Mobile Station International Subscriber Directory Number (MSISDN) usable to authenticate and uniquely identify a subscription of a user to voice and data communications services provided over mobile cellular telecommunications network by the network provider. The MSISDN functions as a global title for routing data and voice communications in the core network 1 04 to the electronic device 1 02a carrying the SIM 1 026,. In this way, a user 1 01 a of an electronic device 102a, may, using a browser program stored in a memory 1 024, of the electronic device 1 02j, send a data request via the core 104 of the mobile cellular telecommunications network to a web server via the Internet 1 05 located by a uniform resource locator (URL) to serve to the electronic device 1 02, content constructed by Hypertext Markup Language (HTML) as a website. The core network 1 04 routes the content of the website to the electronic device 1 02, using the MSISDN of the SIM 1 026, where it is displayed in a graphical user interface of the browser on a display screen thereof (not shown). [039] In an enterprise context, an enterprise (e.g. private or public companies, academic institutions, partnerships, governmental and quasi-governmental institutions, etc) may provide employees (or other agents of the enterprise) 101 a...n with one or more electronic devices 102¾...η, for their use in conducting their activities in the course of carrying out their duties for the enterprise. Alternatively, enterprise users may "bring their own devices" for the purposes of carrying out their business activities for the enterprise, which is increasingly common. For example, in the user group shown in Figure 1 , user 101 a has two enterprise devices, a smartphone 101 an and a tablet 101 aj ₂ , registered to the MDM platform 120, user 101 b has one device, smartphone 101 b,i , and so on.

[040] These enterprise users (e.g. employees) 101 a...n may use their devices 102aj...n, to access enterprise computing resources (such as email servers, data resources for customer relationship management (CRM) systems, document management systems (DMS), enterprise resource planning (ERP) systems, and billing and accounting systems, etc). This may be via the internet or via an enterprise network which may be supported by dedicated computing hardware directly connected by a local area network, or by distributed hardware which may be connected by a virtual private network over the internet, or by being hosted virtually in the cloud.

[041 ] To provide the enterprise users 101 a...n with voice and data connectivity using mobile cellular telecommunications network, the IT administrator 101 A may provide the enterprise users 101 a...n with subscriptions from the mobile cellular telecommunications network service provider for voice and data communications therethrough. Alternatively, in a "bring your own device" context, the user may have access the mobile cellular telecommunications network by his or her own

subscription thereto. Not all of the devices 102aj...n, that the enterprise users 101 a...n use to access enterprise resources are provided with subscriptions to the mobile telecommunications network. For example, some laptops or tablet devices are not provided with the necessary input/output hardware and software to enable them to communicate with the RAN nodes 103a,b. Instead, these devices provide connectivity for the user to access enterprise resources by, for example, a WiFi connection to a wireless access point of a wired network.

[042] To access the enterprise resources using the mobile cellular

telecommunications network, however, the enterprise electronic device 102a, carries a SIM having an associated MSISDN to authenticate and uniquely identify the enterprise user ^' s 101 a subscription to enable voice and data communications to be routed to the device 102a;.

[043] To monitor and control the use and security of the device in accessing the enterprise resources over the internet using the mobile cellular telecommunications network, a security platform 1 10 is provided in the core network 104 to carry out security controls on data traffic in the core network 104 received from/to be sent to the user electronic devices 102a, _j ...n, based on the MSISDN of the users. The security platform 1 10 is provided as a server that is configured by a security platform programme 1 13 instantiated in the RAM 1 12 to cause the processor 1 1 1 to perform security operations on data traffic in the core network 104 based on the MSISDN to which that traffic is to be routed. The security operations may include content filtering, anti-virus and malware filtering, harmful website protection (e.g. anti- phishing), etc.

[044] To control the security settings for the enterprise users 101 a...n and their one or more devices 102a,...n;, a mobile device management platform 120 is provided. The MDM platform 120 is provided with a mobile device management server program 123 instantiated in RAM 122 that configures the processor 121 to provide, using a web server, a web portal accessible over the internet by the IT administrator 101 A. Using the portal, the IT administrator 101 A can set the security settings for a given enterprise user 101 a...n at an individual or group level. The security settings for each user generate a security policy set that is stored in security policy set store 127. The security policy sets stored in security policy set store 127 are generally keyed for each user 101 a...n by a userlD that uniquely identifies that user in the MDM platform 120 and by a devicelD that uniquely identifies the device 102a,...n„ in the MDM platform 120.

[045] To allow control of the security platform 1 10 in the core 104 of the mobile cellular telecommunications network, which uses a different, subscriber-based paradigm for distinguishing data traffic in the core network 104 and filtering it for security purposes, the MSISDNs of each user subscription are also received at MDM platform 120 and stored in MSISDN store 125. The MSISDNs of each user's subscription may be received at the MDM platform 120 by being individually input by the IT administrator 101 A or by being retrieved in bulk automatically from, for example, the enterprise's CRM or ERP systems. [046] A hierarchical relation or affiliation between userlDs, the device IDs and the MSISDNs for the user subscriptions is generated in the MDM platform 120 and stored in the userlD-devicelD-MSISDN store 126. This facilitates the setting of the security policies for each user in the MDM platform 120 and for the communication of those security policies to the relevant enterprise user devices 102a,...n, or security platform 1 10 in the core network 104 keyed by the relevant one of the userid, device ID and MSISDN. The IT administrator 101 A can group the users together into user groups dependent on, for example, department, seniority, security clearance level etc.

[047] Security policy updates, in the form of secure web profile updates 106, keyed by MSISDN, are sent by the MDM platform 120 to the security platform 1 10 for controlling the filtering of data traffic on the network where they are stored in the MSISDN secure web profile store 1 15 in memory 1 14. The security platform program 1 13 instantiated in the RAM 1 12 configures the processor 1 1 1 to apply, based on the secure web profile for a given user subscription stored in MSISDN secure web profile store 1 15, filters and other security controls to data traffic in the core network 104 keyed by the MSISDN to/from which the data is to be routed.

[048] Security policy updates, in the form of managed device profiles, keyed by userlD and optionally also devicelD, are sentby the MDM platform 120 by (e.g. by broadcasting) over the air (OTA) updates and stored in the managed device profile store 1025, of the relevant devices 102aj...rij belonging to the relevant users

101 a...n. In order to control the security settings and use of the devices 102¾...η, by the users 101 a...n, each enterprise user mobile device device 102¾...η, is provided with a mobile device management platform client program 1023 instantiated in RAM 1022 that configures the processor 1021 to implement security policies based on the managed device profiles received from the mobile device management platform 120 by over the air (OTA) updates and stored in the managed device profile store 1025j. For example, by operating the mobile device management platform 120 the IT administrator 101 A can set a password security policy and an email security policy for each user keyed by that user ^' s userlD. The user 102a's devices 102a„ both receive and store the managed device profile updates setting the password security policy and email security policy based on userlD. Alternatively, to set a security policy for a specific device, a security policy may be keyed by device ID as well as userlD such that, for example, only device 102a, receives and stores managed device profile update setting the password security policy. The mobile device management platform client program 1023, then applies the security policies of the managed device profiles stored in managed device profile store 1025, such that, for example, a minimum password length and character requirement is applied by the device 102a,, which may also require the user 102a to change the password periodically.

[049] To set the security settings for each user, the IT administrator 101 A may use an Internet-connected computer or even a mobile electronic device (not shown) to point a browser to a specific URL providing the web portal for the MDM platform 120. On logging in and proving his or her credentials, the IT administrator 101 A is presented with a graphical user interface displayed on a display of the device (not shown) having a number of user-manipulateable widgets and controls by which the security settings for each enterprise user 101 a...n, group of users or devices can be chosen. These security settings then generate and store or update the stored security profile set for each user. The mobile device management platform server program 123 then signals the security policies or any changes thereto, to the security platform 1 10 and the user devices 102a,...n, in the form of secure web profile updates 106 and managed device profile updates 107. The MDM platform 120 and portal may be provided at a global level by the mobile cellular telecommunications network provider, and this platform may provide enterprise users globally with control over security settings for users in different regional or national mobile cellular telecommunications networks. The MDM platform 120 may send the secure web profiles for users directly to the security platforms in the core of the relevant national or regional mobile cellular telecommunications networks. Alternatively, a global integration gateway may be provided configured to receive the secure web profiles from the global mobile device management platform 120 and to send the secure web profiles to the security platform in a core 104 of the relevant mobile

telecommunications networks via a local integration gateway of the mobile

telecommunications network. This helps to account for local differences between the mobile telecommunications networks.

[050] The mobile device management and security system 100 enables enterprises to monitor and control the security of mobile electronic devices of enterprise users in accessing enterprise resources from a device management and content security perspective for communications through a cellular network from a single portal on a user by user or group basis. This is enabled in part by the storing of linking of the user subscription IDs (i.e. the MSISDNs) with the userlDs and user profiles in the MDM portal.

[051 ] Figure 3 is a process flow diagram showing a method of a mobile device management and security platform for controlling usage and security of managed mobile devices of a group of users registered to the system.

[052] The method includes, at step 301 , at mobile device management platform 120, receiving, for each user of the group of users 101 a...n, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network. These are then stored in MSISDN store 125. These may be received at the MDM platform 120 by being individually input by the IT administrator 101 A or by being retrieved in bulk automatically from, for example, the enterprise's CRM or ERP systems.

[053] Then, at step 302, an association between each MSISDN and a respective userlD for the user is created and stored e.g. in UserlD-DevicelD-MSISDN store 126. This may be performed manually but is preferably performed automatically in a bulk import for instance from the enterprise CRM or ERP system.

[054] Next, at step 303, the method comprises storing, for each user of the group of users, an administrator-configurable security policy set for each user. This is performed by the IT administrator 101 A configuring security settings for users on a user by user basis or group basis using the portal provided by the MDM platform 120. The security policy set includes a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network. The security policy set also includes a managed device profile defining a device management policy for managing the operation of a device by the user. The managed device profile may include, for example, an email security profile and a password security profile and any other number of security profiles indicating a security policy for security aspects and functionality provided by the mobile device management client software 1023i operating in the RAM 1022i of the mobile device 102L The secure web profile is keyed by the MSISDN of the user, whereas the managed device profile is keyed by the userlD and/or the devicel D.

[055] Next, at step 304, the MDM platform 120 sends the stored secure web profile (or merely changes thereto) to the security platform 1 10 in the core 104 of the mobile cellular telecommunications network local to the user device. This may be sent by the MDM platform 120 direct to the security platform 1 10, or may be sent first to a global integration gateway and then onto a local integration gateway adapted for the local mobile telecommunications network. The secure web profile is keyed by the relevant user's MSISDN.

[056] On receiving the secure web profile for the or each of the group of users, in step 306 the security platform 1 10 stores the secure web profile settings for a given MSISDN in MSISDN security profile store 1 15.

[057] Then, in step 307, security platform continually monitors data traffic in the core 104 of the mobile cellular telecommunications network that is to be routed to/from MSISDN for which there is a secure web profile stored in MSISDN security profile store 1 15. To achieve this, in embodiments the mobile device management and security system further comprises a traffic management platform (not shown) configured to function as a load balancer for data traffic in the core of the cellular telecommunications network. The traffic management platform has a traffic steering module that configures the traffic management platform to forward data traffic for an MSISDN having a secure web profile to the security platform for processing. The traffic steering module further configures the traffic management platform to receive the filtered data traffic for the MSISDN from the security platform and to forward it to the MSISDN.

[058] When such data is detected, at step 308, the security platform 1 10 applies to the data the security control and filter functionality indicated by the secure web profile 1 15 for that MSISDN. The security platform 1 10 is configurable, by indication in a secure web profile, to apply one or more security policies keyed by MSISDN of the recipient user of the data packet. The security policies include: a packet inspection filtering to filter out certain content; an anti-phishing filter; an anti-spam filter; an anti-malware filter.

[059] Finally for the security platform 1 10, at step 309 the filtered and control result is routed to the Internet or to the user. For example, where a web content filter has detected and filtered out adult or sensitive content in a webpage to be routed to an MSISDN for which web content filter setting is indicated in that MSISDN's secure web profile, the security platform 1 10 may send a blocked webpage notification to the MSISDN. [060] Simultaneously, at step 305, the MDM platform 1 20 also sends, by an over the air transfer, the managed device profile (or changes thereto) keyed by userl D and/or devicel D.

[061 ] On receiving the managed device profile, at step 31 1 , the user mobile electronic device 1 02a, stores the managed device profile in the managed device profile store 1 0251.

[062] Then finally for the user mobile device 1 02a in step 31 2the MDM platform client program 1023i applies the device management settings and controls in the cases for the user device in the stored managed device profile.

[063] In accordance with the present invention, a mobile device management and security system is provided in which a mobile device management (MDM) platform received in stores relation between the userl D used to key MDM over the air security policy updates for users and the MSISDN for subscriptions to mobile cellular networks for those users. Further, the MDM platform then provides functionality that allows a secure web profile defining a security policy for a user's safe Internet experience to be managed as part of the security policy set for the enterprise at a user or group level. The secure web profile for each user is then sent to the security platform in the core network of the mobile telecommunications network, keyed by MSISDN. In this way, enterprise resource security officers are provided with a single platform that enables the setting of MDM security policies and mobile cellular telecommunication network security policies for enterprise users at a user or group level. This is achieved by combining and relating the two different user identity paradigms, namely, userl D centric for MDM systems and MSISDN centric for mobile cellular telecommunication network security systems.

[064] While this detailed description and the embodiments set out above disclosed invention the context of an enterprise setting, aspects of the present invention can also be implemented to provide a device management and security platform for use in a consumer family setting in which they had of the family would be an IT administrator that sets the security policies for members of the family user group such as children.

[065] The description of the preferred embodiments of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or to limit the invention to the forms disclosed. It will be appreciated by those skilled in the art that changes could be made to the embodiments described above without departing from the broad inventive concept thereof. It is understood, therefore, that this invention is not limited to the particular embodiment disclosed, but covers modifications within the scope of the present invention as defined by the appended claims.